If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Formal Security proposal

So Im doing a network security audit for my grad project, and I was wondering if anyone knows any templates or examples of a formal security proposal. Like what I plan to do and how and such. Or maybe contact info for someone who does? Any help would be appricated

[gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]

well what do you plan on proposing? what kind of security? physical? digital? both? social engineering attempts? is this a pen test? or just a "textbook" type audit where in theroy things should be right? are you doing only network equipment or the computers on the network? what type of place are you auditing? the type a business will determine greatly how you submit a proposal.

reguardless you will need to state what you want to do, why you want to do it, and why it will benefit the person you are doing it for. include costs, downtime, risk analysis.

templates for this type of thing are not that good becasue they go on such a case by case basis.

I may be a bit too much business oriented, but my first thought after
quick-reading your post was CobIT[1]. I realised it may be an "overkill"
for your grad project, but at least it gives you a starting point. Here, I
try to give you a list of keywords, with which you can continue. I'd
be happy to learn more myself

CobIT has been developed by ISACA (Guidelines[2]) as a "generally
applicable and accepted standard for good Information Technology
security and control practices that provides a reference framework
for management, users, and IS audit, control and security practitioners."
CobIT takes care of a huge variety of standards, including qualification
criterions like NIST, ITSEC[3a], Common Criteria[3b], AS7799.2[4],
SPICE (ISO 15504),...) and provides an integral framework for auditing.

Furthermore, take a look at ISO/IEC 17799[5], which will provide you
some kind of a checklist. It is a code of practice.
ITIL[6] comes to mind. For the combination CobIT, ITIL and ISO 17799
check this PWC-overview[7].

/edit: In case I misunderstood your request: Have a look at SANS audit
policy template[8]

Originally posted here by XTC46 well what do you plan on proposing? what kind of security? physical? digital? both? social engineering attempts? is this a pen test? or just a "textbook" type audit where in theroy things should be right? are you doing only network equipment or the computers on the network? what type of place are you auditing? the type a business will determine greatly how you submit a proposal.

reguardless you will need to state what you want to do, why you want to do it, and why it will benefit the person you are doing it for. include costs, downtime, risk analysis.

templates for this type of thing are not that good becasue they go on such a case by case basis.

XTC46 has asked all the right questions. I'll disagree with his last statement, but I think it may be a matter of semantics...

You are asking for help with a template for the proposal, correct? Easily done. However, we do need the info he is asking about. In a business relationship, this proposal would be considered a formal proposal for services rendered, normally. It could be a contract, or simply the policy & procedure document that is referred to in the contract. Regardless, it should identify both parties, a statement of intent, a description (and link?) of any and all tools that may be used during any physical or digital assessments, and some guidelines on what will and will not be done (i.e. the boundaries...a good example of this is "...we will pursue and attempt to confirm any vulnerabilities up to but excluding actually exploiting the weakness.")

Consider the following Table Of Contents from just such a proposal. I've scrubbed the info, and due to client confidentiality I can not disclose anything else from this document, but this might help you form up something for your project.

Yikes. That is a lot...but I think it should help you decide what format and content you want in your project paper. Keep in mind that these proposals are what we laughingly refer to as the 'Get Out of Jail Free Pass'. This is the legal document that will Save Your Ass(C) if you are accused of malicious hacking. *IF* it's done right, and signed/documented by all parties. It goes without saying that this contract (we use this as a contract itself) goes through Legal before it's even presented to the client.

"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --SpafAnyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Foundstone has developed this Request For Proposal (“RFP”) template to help organizations identify and select a quality security vendor to perform professional services work. It also lists questions organizations should consider asking potential vendors to ensure that a thorough and comprehensive approach to the project will be taken. This template should apply in a variety of security-related situations including:

What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

I plan on looking at both digital and physical security as well as a small amount of social engineering. I plan on doing pen-testing on a small ISP. Ill be doing this on both the computers in the office and the network equipment. Thanks for the help

[gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]

templates for this type of thing are not that good becasue they go on such a case by case basis.

sorry, I meant taking somone elses template wouldnt be that great becasue what youre auditing may have nothing to do what they were auditing. not that creating a template is a bad idea. poor wording, sorry.

and is this going to be just thr proposal for the work, or are you including the final contract as to what is going to be done, and the results. if so you need to take A LOT of things into consideration such as whats acceptable, what to do with found information. Durring pentesting you are no doubt going to come across some "sensitive" information. Make sure you have all the NDA's signed by you and your team. Also, check who is allowed to see the results of the test, who you report to, who should know you are doing the tests. things along these lines.

Kevin Mitniks new books "the art of intrusion" actually goes into this type of stuff fairly well.